Skip to main content

Fujian Apex LiveBOS EUVDEUVD-2026-26467

| CVE-2026-7519 MEDIUM
Path Traversal (CWE-22)
2026-05-01 cna@vuldb.com
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 01:45 vuln.today
EUVD ID Assigned
May 01, 2026 - 01:22 euvd
EUVD-2026-26467
Analysis Generated
May 01, 2026 - 01:22 vuln.today
CVE Published
May 01, 2026 - 01:16 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability has been found in Fujian Apex LiveBOS up to 2.0. Impacted is an unknown function of the file /feed/UploadImage.do of the component Endpoint. Such manipulation of the argument filename leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1 is recommended to address this issue. Upgrading the affected component is advised.

AnalysisAI

Path traversal in Fujian Apex LiveBOS through the /feed/UploadImage.do endpoint allows remote attackers to manipulate the filename parameter and write files to arbitrary locations on the server. Versions up to 2.0 are affected. Public exploit code is available. Upgrading to version 2.1 resolves the vulnerability.

Technical ContextAI

The vulnerability exists in the UploadImage.do endpoint component, which handles file upload operations. The filename parameter passed to this endpoint is not properly validated or sanitized before use in file system operations, enabling classic path traversal attack patterns using directory traversal sequences (e.g., ../ or absolute paths). This maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a fundamental file system access control weakness where user-supplied input directly influences file write operations without adequate canonicalization or validation. The flaw allows an attacker to escape the intended upload directory and place files in sensitive locations.

RemediationAI

Immediately upgrade Fujian Apex LiveBOS to version 2.1 or later, which addresses the path traversal vulnerability in the UploadImage.do endpoint. For organizations unable to immediately upgrade, implement network-level access controls to restrict access to the /feed/UploadImage.do endpoint to trusted internal systems only, and disable the file upload feature if it is not actively required. Additionally, configure file system permissions on the server to prevent the LiveBOS application process from writing outside its designated upload directory, enforcing operating system-level restrictions as a compensating control. Monitor upload activity for suspicious filename patterns containing directory traversal sequences (../, ..\, or absolute paths) and log all file write operations for forensic review. Refer to vendor advisory channels for patch deployment timelines and verification steps.

Share

EUVD-2026-26467 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy